Privacy policy.

1. Who we are and how to reach us

Salaam Health Ltd ("we", "us"), a company registered in England and Wales (company number 11452647), is the data controller for personal information collected through northharrowpharmacy.co.uk. Our registered office is Devonshire House, 582 Honeypot Lane, Stanmore, HA7 1JS. We are registered with the Information Commissioner's Office (ICO), registration number ZA791809.

For any privacy enquiry, contact us at hello@northharrowpharmacy.co.uk. Mark your email "Privacy enquiry" for fastest handling.

2. What this policy covers

This policy explains what personal data we collect about you, how we use it, who we share it with, how long we keep it, and the rights you have under UK GDPR and the Data Protection Act 2018.

3. The data we collect

We collect the following categories of data:

• Identification data: name, date of birth, sex assigned at birth, email address, mobile phone number, UK postal address, UK GP details.
• Identity-verification data: when you verify your identity through Stripe Identity, we store the name, date of birth and (for driving licences) address read from your document, encrypted, together with the outcome of the check. Your prescriber also re-checks your photo ID at the video consultation. We do not store images of your ID document or selfie on our own systems.
• Health data ("special category data"): height, weight, BMI, medical history, current medications, allergies and previous reactions, pregnancy and contraception status (where relevant), planned procedures, weight-loss treatment history, lifestyle information, and clinical notes from your consultations.
• NHS record information: with your consent, our prescriber may view relevant information in your NHS record via the National Care Records Service as part of your clinical assessment. Anything relevant to a prescribing decision is recorded in your clinical record with us.
• Consultation data: your video consultations are not recorded. With your consent, an AI medical notetaker may listen to the live call solely to help your prescriber produce accurate written notes — the audio is not kept; the written notes are saved to your medical record.
• Transactional data: orders, payment status, refund records, prescription history, dispensing records, tracking numbers. We never store full card numbers.
• Communication data: emails, SMS, secure messages exchanged with our clinical team, and your marketing preferences and consent history (what you agreed to, when, and the exact wording version).
• Technical data: IP address (for security and audit), browser user agent, login timestamps, and cookie data as described in our Cookie Policy.

4. Lawful bases

We rely on the following lawful bases under UK GDPR:

• Contract (Article 6(1)(b)) — to deliver the consultation, dispensing and delivery service you have asked us for.
• Legal obligation (Article 6(1)(c)) — to comply with our obligations under the Human Medicines Regulations 2012, the Pharmacy Order 2010, GPhC standards, and tax/accounting law.
• Vital interests (Article 6(1)(d)) — to share information with emergency services or your GP where there is a serious risk to your health.
• Consent (Article 6(1)(a)) — for marketing emails and SMS (including reminders about an unfinished order or your next supply), and for non-essential cookies. You can withdraw this at any time via your portal preferences, the link in any marketing email, or by replying STOP to an SMS.
• Explicit consent (Article 9(2)(a)) — for processing your health data, viewing relevant information in your NHS record via the National Care Records Service, and informing your GP about your treatment. You provide this when you submit your consultation, and you can manage your consents from the Privacy & data page in your portal.
• Provision of health care (Article 9(2)(h)) — for the clinical assessment, prescribing and dispensing of your treatment.

5. How we use your data

We use your data for: (a) conducting your clinical consultation and prescriber review, including viewing relevant information in your NHS record via the National Care Records Service with your consent; (b) verifying your identity; (c) processing payments and refunds; (d) prescribing, dispensing and delivering medication; (e) communicating with you about your treatment and your account; (f) informing your GP when treatment is prescribed, so your medical record stays up to date; (g) keeping clinical and regulatory records as required by law; (h) preventing fraud and protecting the security of our systems; and (i) sending you marketing communications where you have consented (see section 6).

We never sell your data to third parties, and we never share your questionnaire answers or clinical record with advertising platforms.

6. Marketing communications

If you consent when completing your questionnaire (or later in your portal preferences), we may send you emails and SMS about your own care journey with us — for example a reminder to finish an order you started, that your next supply is due, or that a check-in consultation is coming up. These messages are about you and your account; they are not third-party advertising.

You can stop them at any time: use the preferences link in any marketing email, reply STOP to any marketing SMS, or change your settings on the Preferences page of your patient portal. Service messages essential to your safety and your orders (for example dispatch notifications, consultation reminders you've booked, or clinical follow-ups) are sent regardless of marketing preferences.

7. Automated eligibility screening

When you submit the online questionnaire, our system automatically screens your answers against the licensed criteria for the treatments we offer (for example age, BMI and certain medical conditions). If your answers fall outside those criteria you will be told you are not eligible without a human reviewing the result first. This screening exists for your safety and applies the same published clinical rules to everyone.

Every order that proceeds is always reviewed by a human prescriber — on a video consultation — before any medicine is dispensed. If you believe an automated outcome is wrong, contact us at hello@northharrowpharmacy.co.uk and a clinician will review your case personally.

8. How we protect your data

Your personal and health data is held on UK-based servers and encrypted at rest at the field level for the most sensitive categories (PII and clinical answers). Connections to our website are encrypted in transit (HTTPS, HSTS). Access to your record by our clinical team is logged in an immutable audit trail. Patient passwords are stored using argon2id hashing; prescriber accounts require two-factor authentication.

9. Who we share data with

• North Harrow Pharmacy — our own dispensing pharmacy (GPhC 1034996). They receive the details needed to dispense and deliver your treatment.
• Your GP — we will inform your GP when treatment is prescribed, with the consent you give at your consultation, so your medical record stays up to date and your care remains joined up.
• NHS National Care Records Service — with your consent, our prescriber may view relevant information in your NHS record as part of your assessment. This is access to NHS-held data, governed by NHS England's controls; we record anything clinically relevant in your record with us.
• Stripe — our payment processor and identity-verification provider (US-based, with UK GDPR safeguards). For payments they receive transaction data; for identity checks they process images of your ID document and selfie. They never receive your health record.
• Resend — our email provider, used to deliver booking confirmations, password reset emails, clinical communications and (with your consent) marketing emails. They receive your email address and message content.
• Twilio — our SMS provider, used for order updates, consultation reminders and (with your consent) marketing SMS. They receive your mobile number and message content.
• Daily.co — our video-consultation provider. Calls run through their UK/EU-compliant infrastructure and are not recorded.
• AI medical notetaker (e.g. Heidi) — with your consent, used during consultations to produce written clinical notes. Live audio is processed only to create the notes and is not retained.
• Royal Mail / our courier — for delivery of your prescription. They receive name, address and tracking-only details.
• Google Analytics & Meta — receive cookie-based usage and advertising-measurement data from our public pages as described in our Cookie Policy. They never receive your questionnaire answers or clinical record.
• Cloudflare & UpCloud — our security/network layer and UK-based hosting provider, which process data as part of running the website securely.
• Regulatory bodies (GPhC, MHRA, ICO) where required by law or in response to a lawful request.

10. How long we keep data

We retain clinical and prescribing records for 7 years after your last interaction, in line with the NHS Records Management Code of Practice and UK pharmacy regulatory requirements. Audit logs are retained for the same period. Marketing-related data (if any) is retained for no longer than 24 months. Some data must be retained for accounting/tax purposes for 6 years.

11. Your rights

Under UK GDPR you have the right to:

• Access a copy of the personal data we hold about you (subject access request)
• Request correction of inaccurate data
• Request erasure of your data ("right to be forgotten") — note that we may not be able to delete clinical records required to be retained by law
• Restrict or object to processing in certain circumstances
• Receive your data in a portable format
• Withdraw consent (where consent is the lawful basis)
• Lodge a complaint with the Information Commissioner's Office at ico.org.uk

To exercise any of these rights, email hello@northharrowpharmacy.co.uk from the address on your account. We will respond within one month.

12. Cookies

We use strictly necessary cookies (login, form security, fraud prevention), analytics cookies (Google Analytics) and advertising cookies (the Meta Pixel) on our public pages. Analytics and advertising cookies never contain your health information. See our Cookie Policy for the full list and how to opt out.

13. International transfers

Your clinical record is held on UK-based servers. Where a processor (e.g. Stripe, Resend, Twilio, Google, Meta) is based outside the UK, transfers are made under UK GDPR's appropriate safeguards including Standard Contractual Clauses, the UK Addendum and the UK–US Data Bridge where applicable.

14. Children

Our service is not for anyone under 18. We do not knowingly collect personal data from children. If you believe a child has provided data to us, contact us and we will delete it.

15. Changes to this policy

We may update this policy. The "last updated" date at the top reflects the latest revision. Material changes affecting your rights will be notified to you in advance via email or via your patient portal.